.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: About Winbindd and IDMapping
  :keywords: Winbindd, Samba-AD, Active Directory, documentation, IDMapping

.. _about_winbindd:

############################
About Winbindd and IDMapping
############################

*******************
The Winbind service
*******************

:program:`Winbindd` is a daemon that resolves names in a UNIX environment and names and groups in an Active Directory domain.
It implements the concept of IDMapping (or IDMap) to convert the SIDs of the Windows world (eg. *S-1-5-21-4262773471-1330489575-488031063-2616*) to a UID or GID of the Unix world, and vice versa.

Other tools for mapping between SIDs and UIDs exist, such as the :abbr:`SSSD (System Security Services Daemon)` service.
Depending on the use case, it will be preferable to use one or the other.
For example, we recommend using :program:`Winbind on file servers, and :program:`SSSD` on client computers.

******************
The concept of SID
******************

In the Windows environment, each user, each machine and each group is identified with a unique identifier, the :abbr:`SID (Security IDentifer)`.
The SID can be a short SID (e.g. *S-1-0, S-1-5-32-544*), which corresponds to a well-known-SID, or a long SID (*S-1-5-21-4262773471- 1330489575-488031063-2616*).

The group *Administrators* which is local to a machine (not to be confused with the group *Domain Admins* which is global to the domain), is referenced with a short SID : *S-1-5-32-544*.

A long SID can refer to a domain user, but also to a local user created on the machine.
In this second case, the *authentication domain* is the machine itself.
A long SID has two parts, the first part is the same for all users in the domain, and the last group of numbers, called the :abbr:`RID (Relative IDentifier)` is unique for each user.

For example, in SID *S-1-5-21-4262773471-1330489575-488031063-2616*, the domain SID is *S-1-5-21-4262773471-1330489575-488031063* and it will be the same for all users, machines and groups in the domain, and the RID is *-2616*, and it will be unique for each user, machine and group in the domain.

There is a list of *Well-Known-RIDs* that will be the same for all domains.
There are several tens of *Well-Known-RIDs*, the main ones to remember are the following:

* **-500** : Administrator;

* **-512** : Domain Admins;

* **-513** : Domain Users;

* **-515** : Domain Computers;

.. note::

  For your information, a short SID, in addition to referring to a user or group, may refer to a concept.
  For example, the SID *S-1-16-12288* is actually a security token which gives a high level of execution to the current process (see :abbr:`UAC (User Account Control)`).

  You can find a list of existing SIDs (short SIDs and long SIDs) by `visiting this link <https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems>`_.

.. _about_idmap:

*****************
The IDMap concept
*****************

:abbr:`IDMap (ID Mapping)` is used to map a Windows ID (SID) to a Linux ID (UID/GID).
It is necessary to define a mapping scheme since the two environments have different ways of referring to users, groups and machines.
The concept of SIDs in Windows environments is much broader than the concept of UIDs in Unix environments, and allows you to define whether a user is local or remote, whether he is part of one domain or another. The Unix environment only gives an integer for this.

There are several programs for maintaining the IDMap. The default service offered by Samba is **Winbind**.
The one offered by RedHat is **SSSD**.
Both solutions have their advantages and disadvantages.
At Tranquil IT, we commonly use **Winbind** on file servers, while we use **SSSD** on Linux workstations.

There are three main ways of making a correspondence table between the two worlds, plus a fourth:

* TDB;

* RFC2307;

* RID;

* RID with self-generated offset (SSSD mode);

*********************
The xidnumber concept
*********************

In Windows environments, it is possible to have a group that owns a file or directory.
However, in the Unix environment, the owner of a file is always a user.

In the case of the :file:`SYSVOL` directory that contains the GPOs on an Active Directory server, there are certain GPO directories that belong to the *Domain Admins* group.
Microsoft GPO clients are very strict on the permissions of the :file:`SYSVOL` directory, and if the permissions are not compliant, the GPOs will not be applied.

To solve this problem, Samba has developed the concept of *xidNumber* (by extension of uidNumber and gidNumber).
A *xidnumber* can be used indifferently for a group right or a user (owner) right.

The RFC2307 mapping cannot correctly support *xidNumber* operation because it does not guarantee that a user and a group will not have the same ID.
Also the RID mode is currently not supported on domain controllers.
This is why in our documentation we recommend to use TDB mapping on Samba domain controllers.